Creating a VPN server
Create a VPN server to allow clients from the internet to connect to the VPC network while maintaining secure connectivity.
You can create a VPN server by using the UI, CLI, or API.
Before you begin
Before you provision a VPN server, complete the following prerequisites in the following order:
-
Decide which VPN client authentication mode to use: certificate-based, user ID and passcode, or both. For more information, see Setting up client-to-site authentication.
-
Create a Secrets Manager service instance and manage certificates.
It is recommended that you create a private certificate with these considerations in mind.
-
Create an IAM service-to-service authorization for your VPN server and IBM Cloud Secrets Manager.
-
Create a VPC and at least one subnet in your selected VPC.
For high availability, create a VPC and two subnets in two different zones. The VPN server resides in the two subnets.
Creating a VPN server in the UI
To create a client-to-site VPN server in the UI:
-
Complete all prerequisites in the "Before you begin" section.
-
From your browser, open the IBM Cloud console and log in to your account.
-
Select the Navigation Menu icon , then click > VPC Infrastructure > VPNs in the Network section.
-
Click Create in the upper right of the page.
-
In the VPN type section, click Client-to-site servers.
The Locations section shows the region where the VPC is located and where the VPN server will be provisioned.
-
In the Details section, specify the following information:
-
VPN server name - Enter a name for the VPN server, such as
my-vpn-server
. -
Resource group - Select a resource group for the VPN server.
-
Tags - Optionally, add tags to organize, track usage costs, or manage access to your resources.
-
Access management tags - Optionally, add access management tags to resources to help organize access control relationships. The only supported format for access management tags is
key:value
. For more information, see Controlling access to resources by using tags. -
Virtual private cloud - Select the VPC for the VPN server.
-
Client IPv4 address pool - Enter a CIDR range. The client is assigned an IP address for its session from this address pool.
-
-
In the Subnets section, specify the following information:
-
Select a VPN server mode:
- High-availability mode - Deploys the VPN server across two subnets in different zones. Best for multi-zone deployments and solutions where client VPN access is critical.
- Stand-alone mode - Deploys the VPN server in a single subnet and zone. Best for single-zone deployments where multi-zone resiliency is not required.
-
Specify the subnet (stand-alone mode) or subnets (HA mode) for your VPC.
-
-
In the Authentication section, specify the following information:
-
VPN server authentication - Select the server SSL certificate from Secrets Manager. Complete all required fields.
-
Client authentication modes - Select to configure user authentication through the use of a client certificate, user ID and passcode, or both.
-
Client certificate - You can select a client certificate and configure a user ID and passcode for optimal security. A user ID and passcode provides an added layer of security that requires additional login credentials for account access.
Optionally, you can upload a Certificate Revocation List (CRL) in PEM format. After you upload a CRL, the PEM file shows as the name of the VPN server.
-
User ID and passcode - Configure added authentication for VPN client users. This authentication method offers an added layer of security that integrates with IBM Cloud IAM to complete the client authentication. When authentication is completed, the system passes the code to the openVPN client for authentication.
-
-
-
In the Security groups section, select at least one security group.
To configure one or more security groups and their rules or, to optionally configure access control lists (ACLs) on the subnet where you plan to deploy the VPN server and other VPC subnets that communicate over the VPN tunnel, see Configuring ACLs and security groups for use with a VPN server.
You can attach security groups after provisioning from the VPN server's details page (Security Groups tab).
-
In the Additional configuration section, specify the following information:
-
DNS server IP address - Optionally, specify one or two DNS server IP addresses for domain name resolution.
-
Idle timeout session (seconds) - If the VPN server has no traffic before this interval lapses, it is automatically disconnected. This value can range between
0
to28800
seconds. The default value is600
seconds. -
Transport protocol - Select one of the following protocols and enter a valid VPN port (
1 - 65535
).- UDP is a connectionless protocol that performs error checking but discards erroneous packets. Faster than TCP.
- TCP is a connection-oriented protocol with error checking and error recovery. More reliable than UDP.
-
Tunnel mode - Specify one of the following:
-
Full tunnel - All traffic flows through the VPN interface to the VPN tunnel.
-
Split tunnel - Private traffic flows through the VPN interface to the VPN tunnel, and public traffic flows through the existing LAN interface.
-
-
Creating a VPN server from the CLI
Before you begin, set up your CLI environment.
To create a VPN server from the CLI, enter the following command:
ibmcloud is vpn-server-create --subnets SUBNETS --client-ip-pool CLIENT_IP_POOL --cert CERT (--client-auth-methods certificate | username | certificate,username | username,certificate) [--client-ca CLIENT_CA] [--client-crl CLIENT_CRL] [--client-dns CLIENT_DNS] [--client-idle-timeout CLIENT_IDLE_TIMEOUT] [--enable-split-tunnel false | true] [--port PORT] [--protocol udp | tcp] [--security-group SECURITY_GROUP1 --security-group SECURITY_GROUP2 ...] [--name NAME] [--resource-group-id RESOURCE_GROUP_ID | --resource-group-name RESOURCE_GROUP_NAME] [--output JSON] [-q, --quiet]
Command options
- --subnets: Comma-separated IDs of the subnets to provision this VPN server in. Use subnets in different zones for high availability, two subnets can be set at most.
- --client-ip-pool: The VPN client IPv4 address pool, expressed in CIDR format. The request must not overlap with any existing address prefixes in the VPC or any of the following reserved address ranges: 127.0.0.0/8 (IPv4 loopback addresses), 161.26.0.0/16 (IBM services), 166.8.0.0/14 (Cloud Service Endpoints), 169.254.0.0/16 (IPv4 link-local addresses), 224.0.0.0/4 (IPv4 multicast addresses). The prefix length of the client IP address pool's CIDR must be between /9 (8,388,608 addresses) and /22 (1024 addresses). A CIDR block that contains twice the number of IP addresses that are required to enable the maximum number of concurrent connections is recommended.
- --cert: The certificate instance CRN for this VPN server.
- --client-auth-methods: Comma-separated list of client authentication methods. One of: certificate, username, certificate,username, username,certificate.
- --client-ca: The CRN of the certificate instance to use for the VPN client certificate authority (CA).
- --client-crl: CRL | @CRL-file. The certificate revocation list contents, encoded in PEM format.
- --client-dns: Comma-separated of DNS server addresses that will be provided to VPN clients connected to this VPN server. Two DNS servers can be set at most.
- --client-idle-timeout: The seconds a VPN client can be idle before this VPN server will disconnect it. Specify 0 to prevent the server from disconnecting idle clients (default: 600).
- --enable-split-tunnel: Indicates whether the split tunneling is enabled on this VPN server. One of: false, true (default: false).
- --port: The port number to use for this VPN server (default: 443).
- --protocol: The transport protocol to use for this VPN server. One of: udp, tcp (default: udp).
- --security-group: ID of the security group.
- --name: New name for the vpn server.
- --resource-group-id: ID of the resource group. This option is mutually exclusive with --resource-group-name.
- --resource-group-name: Name of the resource group. This option is mutually exclusive with --resource-group-id.
- --output: Specify output format, only JSON is supported. One of: JSON.
- -q, --quiet: Suppress verbose output.
Command examples
ibmcloud is vpn-server-create --subnets 0717-a7191f77-7c87-4ad4-bb11-a37f9e9fc0f0,0736-4b871e22-e819-4f87-bb17-e457a88246a2 --cert crn:v1:bluemix:public:cloudcerts:us-south:a/aa5a471f75bc456fac416bf02c4ba6de:1862b0b4-c1f8-4eef-a6b5-e9c00c9f593d:certificate:6c801ef768c139d986b4c6f91175e8cc --client-ip-pool 190.165.7.0/20 --client-auth-methods certificate --client-ca crn:v1:bluemix:public:cloudcerts:us-south:a/aa5a471f75bc456fac416bf02c4ba6de:1862b0b4-c1f8-4eef-a6b5-e9c00c9f593d:certificate:6c801ef768c139d986b4c6f91175e8cc
ibmcloud is vpn-server-create --name myvpnserver --subnets 0717-a7191f77-7c87-4ad4-bb11-a37f9e9fc0f0,0736-4b871e22-e819-4f87-bb17-e457a88246a2 --cert crn:v1:bluemix:public:cloudcerts:us-south:a/aa5a471f75bc456fac416bf02c4ba6de:1862b0b4-c1f8-4eef-a6b5-e9c00c9f593d:certificate:6c801ef768c139d986b4c6f91175e8cc --client-ip-pool 190.166.7.0/20 --client-auth-methods username
ibmcloud is vpn-server-create --name myvpnserver2 --subnets 0717-a7191f77-7c87-4ad4-bb11-a37f9e9fc0f0 --cert crn:v1:bluemix:public:cloudcerts:us-south:a/aa5a471f75bc456fac416bf02c4ba6de:1862b0b4-c1f8-4eef-a6b5-e9c00c9f593d:certificate:6c801ef768c139d986b4c6f91175e8cc --client-ip-pool 190.167.7.0/20 --client-auth-methods username --client-dns 9.9.9.9,8.8.8.8 --protocol tcp --port 8888 --enable-split-tunnel true --client-idle-timeout 1200
ibmcloud is vpn-server-create --name myvpnserver3 --subnets 0717-a7191f77-7c87-4ad4-bb11-a37f9e9fc0f0 --cert crn:v1:bluemix:public:cloudcerts:us-south:a/aa5a471f75bc456fac416bf02c4ba6de:1862b0b4-c1f8-4eef-a6b5-e9c00c9f593d:certificate:6c801ef768c139d986b4c6f91175e8cc --client-ip-pool 190.168.7.0/20 --client-auth-methods username --security-group r006-e32f671c-463d-4f93-88e3-2dd0413476b4 --security-group r006-3af7a9db-d9bc-43d4-bced-93e0a33fee25
ibmcloud is vpn-server-create --subnets 0736-4b871e22-e819-4f87-bb17-e457a88246a2 --client-ip-pool 192.170.0.0/22 --client-dns 172.34.1.100 --cert crn:v1:bluemix:public:cloudcerts:us-south:a/0046b57b897f419080c4ed3e011b86d4:5f1a72bc-b4c2-413f-bd22-011cfa4be5db:certificate:c81627a1bf6f766379cc4b98fd21ccd6 --client-auth-methods certificate,username --client-ca crn:v1:bluemix:public:cloudcerts:us-south:a/0046b57b897f419080c4ed3e011b86d4:5f1a72bc-b4c2-413f-bd22-011cfa4be5db:certificate:c81627a1bf6f766379cc4b98fd21ccd6 --client-crl @./openvpn/crl.pem --name vpnswithcrl --security-group r006-5744b689-e5c4-461d-9f9b-ce5e7e8dbed6
Creating a VPN server with the API
To create a client-to-site VPN server with the API, follow these steps:
-
Set up your API environment with the right variables.
-
Store any additional variables to be used in the API commands; for example:
-
ResourceGroupId
- Find the resource group ID by using theget resource groups
command and then populate the variable:export ResourceGroupId=<your_resourcegroup_id>
-
SubnetId
- Find the subnet ID by using theget subnet
command and then populate the variable:export SubnetId=<your_subnet_id>
-
-
When all variables are initiated, create the VPN server:
curl -X POST "$vpc_api_endpoint/v1/vpn_servers?version=$api_version&generation=2" \ -H "Authorization: $iam_token" \ -d '{ "certificate": { "crn": "crn:v1:bluemix:public:cloudcerts:us-south:a/aa5a471f75bc456fac416bf02c4ba6de:1862b0b4-c1f8-4eef-a6b5-e9c00c9f593d:certificate:6c801ef768c139d986b4c6f91175e8cc" }, "client_ip_pool": "192.168.50.0/22", "name": "my-new-vpn-server", "subnets": [ { "id": "0716-046c3fd3-1cc5-40f6-b0ad-bbc305308f6d" }, { "id": "0717-30ff71ff-3e90-42a9-aa93-96a062081f18" } ], "client_authentication": [ { "method": "certificate", "client_ca": { "crn": "crn:v1:bluemix:public:cloudcerts:us-south:a/aa5a471f75bc456fac416bf02c4ba6de:1862b0b4-c1f8-4eef-a6b5-e9c00c9f593d:certificate:6c801ef768c139d986b4c6f91175e8cc" } }, { "method": "username", "identity_provider": { "provider_type": "iam" } } ] "resource_group": { "id": "'$ResourceGroupId'" } }'
Next steps
- To validate that the VPN server was created successfully, wait a few minutes and then go to the Client-to-site servers table to ensure that the
VPN server status is
Stable
and the Health status isHealthy
. - Create VPN routes.
- Set up a VPN client environment and connect to the VPN server.